Export limit exceeded: 10890 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10890 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4202 | 2 Multicollab, Wordpress | 2 Multicollab: Content Team Collaboration And Editorial Workflow, Wordpress | 2026-05-18 | 4.3 Medium |
| The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add comments to arbitrary collaborations. | ||||
| CVE-2026-8681 | 2 Essentialplugin, Wordpress | 2 Essential Chat Support, Wordpress | 2026-05-18 | 5.3 Medium |
| The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1. | ||||
| CVE-2026-44125 | 1 Seppmail | 1 Secure Email Gateway | 2026-05-18 | N/A |
| SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | ||||
| CVE-2026-46362 | 1 Thorsten | 1 Phpmyfaq | 2026-05-18 | 6.5 Medium |
| phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated users, exposing admin logs, user data, system information, and application configuration. | ||||
| CVE-2026-1631 | 2 Smashballoon, Wordpress | 2 Feeds For Youtube, Wordpress | 2026-05-18 | 5.4 Medium |
| The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key. | ||||
| CVE-2026-44718 | 1 Mathesar-foundation | 1 Mathesar | 2026-05-18 | N/A |
| Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0. | ||||
| CVE-2026-6472 | 1 Postgresql | 1 Postgresql | 2026-05-18 | 5.4 Medium |
| Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | ||||
| CVE-2026-3117 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 6.5 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | ||||
| CVE-2026-6342 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | ||||
| CVE-2026-6341 | 1 Mattermost | 1 Mattermost | 2026-05-18 | 4.3 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602 | ||||
| CVE-2026-42051 | 1 Getkirby | 1 Kirby | 2026-05-18 | 4.3 Medium |
| Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | ||||
| CVE-2026-42069 | 1 Getkirby | 1 Kirby | 2026-05-18 | 6.5 Medium |
| Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||||
| CVE-2026-42137 | 1 Getkirby | 1 Kirby | 2026-05-18 | 6.5 Medium |
| Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | ||||
| CVE-2026-42174 | 1 Getkirby | 1 Kirby | 2026-05-18 | 4.3 Medium |
| Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||||
| CVE-2021-44793 | 1 Krontech | 1 Single Connect | 2026-05-18 | 8.6 High |
| Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials. | ||||
| CVE-2021-44794 | 1 Krontech | 1 Single Connect | 2026-05-18 | 5.3 Medium |
| Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | ||||
| CVE-2021-44795 | 1 Krontech | 1 Single Connect | 2026-05-18 | 5.3 Medium |
| Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating. | ||||
| CVE-2021-44792 | 1 Krontech | 1 Single Connect | 2026-05-18 | 5.3 Medium |
| Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information. | ||||
| CVE-2026-44374 | 1 Backstage | 3 Plugin-catalog-backend-module-unprocessed, Plugin-catalog-unprocessed-entities, Plugin-catalog-unprocessed-entities-common | 2026-05-17 | 4.3 Medium |
| Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30. | ||||
| CVE-2025-15023 | 1 Yordam | 1 Library Automation System | 2026-05-17 | 8.8 High |
| Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Library Automation System: from v.19.5 before v.22.1. | ||||